Re: Ability to withstand well known attacks

[Florian Weimer <fw@deneb.enyo.de>]

Neal Ziring <nziring@thecouch.ncsc.mil> writes:

> There's no free lunch - on a fast enough link, I suspect some
> performance impact is inevitable for complex ACLs.

You can perform incoming ACL lookup and routing decision in parallel,
resulting in little impact.

Devices capable of storing thousands of ACL entries and millions of
lookups per second already exist, and they are reprogrammable at
reasonable speed.

["no known issues" requirement]

> I agree with the spirit of the requirement, but I just can't think
> of any good way to express it that will be objectively testable

Furthermore, it's a process thing.  Even if the vendor sells a device
that has no known issues, the really interesting problem is how the
fixes are distributed to affected customers.  "no known issues" is a
moving target, and there has to be a process that reflects this.

Obviously, we can't propose a final solution in this area, as there is
no consensus how such things should be done.  But a short mention of
the conflicting goals of security defect mitigation wouldn't hurt.